Bandit Level 19 → Level 20

Level Goal

To gain access to the next level, you should use the setuid binary in the homedirectory. Execute it without arguments to find out how to use it. The password for this level can be found in the usual place (/etc/bandit_pass), after you have used to setuid binary.


Looking at the home directory, we see a file bandit20-do is created by bandit20 and accessible by bandit19. The permission of the file is rws. The s permission means when the file is executed, it will run with the permission of the owner.

-rwsr-x--- 1 bandit20 bandit19 7237 Jun 6 2013 bandit20-do

Since the owner is bandit20, we can try to run this and use the elevated permission to look at the next password as well. Just running it tell us we can run a command.

./bandit20-do
Run a command as another user.
 Example: ./bandit20-do id

In this case, let’s cat the password file and find out the next password for bandit20.

./bandit20-do cat /etc/bandit_pass/bandit20
GbKksEFF4yrVs6il55v6gwY5aVje5f0j

Additional References:

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s